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Internal Audit progress report - September 2017 
The purpose of this report is to advise the Audit Committee of our progress since 
the last update in June 2017. 


Reviews completed 
GDPR Review 


The review of the GDPR project was completed in June. The overall assessment was 
Green and whilst there were some opportunities to improve, the programme of 
work was well controlled, utilising existing governance and management structures. 
There was one medium finding, which related to establishing a plan that includes 
significant milestones for each of the workstreams. 
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Progress to date 

Planning meetings have been held for the IT Procurement and IT Supplier 
Management reviews. The IT Procurement review has been scheduled for the end 
of September, and the IT Supplier Management for early December (specific dates 
are to be agreed in early September). Scheduling has been agreed for the Corporate 
Governance review which will take place in October. 


The follow up to GDPR is now scheduled for Q4 to allow sufficient time for actions 
from reviews in 2016-17 to be implemented. Specific timing is to be agreed with 
management shortly. 


The proposed review of Fee Forecasting has been deferred at the request of 
Management following delays in the development of the regulations. 


We have also had an initial meeting with the Head of Finance to plan an additional 
review on the ICO expenses process. The review will take place as soon as possible, 
subject to identifying resources. It will use time originally allocated to the Fee 
Forecasting review. 
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Overall summary of plan progress 


Audit 
Review Scope Timing Days Progress Committee 
report date 
Data The follow up the project review from 2016-17 and will include the follow up to the People Strategy 
Protection Law review carried out by Internal Audit in 2016. It will establish that the findings have been actioned and Q4 10 To be planned March 
Reform follow that the project overall is on track to deliver the outcomes each workstream is required to deliver. 
up Focus will be on the People Strategy and how the capacity and capability risks are being managed. 
Corporate Internal Audit has not reviewed the ICO corporate governance arrangements in the last four years. 
Governance The review will cover how corporate governance arrangements have changed for 2017-18 (including 
risk management) and incorporated the changes to the organisation. The ICO has established a new October 14 To be planned January 
senior leadership team and the Information Commissioner started in July 2016. The review will 
compare new governance and organisation structures to best practice. 
Fee Should the ICO establish a revised income through a new Registration Fees model and potentially 
Forecasting * other sources of income, the ICO may be able to plan more strategically and hence deliver more 
services (such as investigations, education programmes, audits). The audit will establish how the ICO Deferred = 
established what the income should be from fees and incorporate the process to chase outstanding 
fee payment. 
IT ICO will be involved in more procurement of IT products and services as the strategy is to take more 
Procurement responsibility for IT services. The review will establish the approach to procuring IT services and Se omber 9 Planning Januar 
establish that the ICO will be able to go to market making use of existing government procurement P commenced y 
frameworks where appropriate and ensue that those frameworks represent value for money. 
IT supplier The ICO currently has one main IT services contract with Northgate and a number of smaller or 
Contract specialist suppliers. While there is formality over the Northgate contract management the level of December 8 Planning Januar 
Management formal management over the smaller value contacts may be insufficient. The review will establish commenced y 
whether sufficient controls are in place for smaller contracts. 
Expenses ** Following changes made by HMRC, the ICO no longer can apply for dispensation. The review is to September 
establish that the ICO’s expenses policy is being appropriately applied and that the controls operate pe 5-7 Planning started January 
to enforce the policy. 
Follow Up Review of the arrangements to capture and implement audit recommendations in a timely manner. Q4 3.5 Yet to start March 
* Deferred 
** Additional review 
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and its member firms are not agents of, and do not obligate, one another and are not liable for one 
anothet’s acts or omissions. Please see grant-thornton.co.uk for further details 


This publication has been prepared only as a guide. No responsibility can be accepted by us for loss 
occasioned to any person acting or refraining from acting as a result of any material in this publication. 


